Your browser does not support HTML5 local storage or you have disabled it. Some functionality on this site, including saving your privacy settings and offering you special discounts, uses local storage and may not work with local storage disabled. We recommend allowing the use of local storage in your browser. In some browsers, it is the same setting used for disabling cookies.

SSH

Forced Commands

A forced command causes a specified application to run automatically when the user logs in. All other applications are implicitly denied.

If you have maintenance jobs requiring non-interactive access to your server, use public-key authentication and forced commands. This way, if the private key is compromised, the public key cannot be used to perform anything other than the predetermined command on the server. This is, of course, also bad, but it would be worse if the malicious attacker would have unrestricted access to the machine.

Do not use the root (administrator) account for jobs where it is not absolutely necessary.

You can set up a forced command in the ssh-server-config.xml file.

<services>
  <rule group="backup">
    <terminal action="deny" />
    <!-- This account is only used to backup the disk drive. -->
    <subsystem type="sftp" application="sft-server-g3" action="deny" />
    <command application="dd if=/dev/hda" action="forced" />
    <tunnel-local action="deny" />
    <tunnel-remote action="deny" />
  </rule>
  ...
</services>

This would, on a successful login as the group backup, force a backup job to start.

Using the Tectia Server Configuration GUI, the same setting can be made under the Services page on the Commands tab. See Commands.

You can also use the command that was given on the sshg3 command line:

<services>
  <rule group="admin">
    <command application="echo $SSH2_ORIGINAL_COMMAND" action="forced" />
    ...
  </rule>
  ...
</services>

Running sshg3:

$ sshg3 localhost kukkuu
kukkuu
$

===AUTO_SCHEMA_MARKUP===